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Abstract 

We say that the sequence g n , n > 3, n — >■ oo of polynomial transfor- 
mation bijective maps of free module K n over commutative ring K is a 
sequence of stable degree if the order of g n is growing with n and the de- 
gree of each nonidentical polynomial map of kind g n is & n independent 
constant c. A transformation b = rg n r , where r is affine bijection, n is 
large and k is relatively small, can be used as a base of group theoretical 
Diffie-Hellman key exchange algorithm for the Cremona group C(K n ) of 



> 
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all regular automorphisms of K n . The specific feature of this method is 






X 



that the order of the base may be unknown for the adversary because of 
the complexity of its computation. The exchange can be implemented by 



C^ ■ tools of Computer Algebra (symbolic computations). The adversary can 

not use the degree of righthandside in b x = d to evaluate unknown x in 
this form for the discrete logarithm problem. 

In the paper we introduce the explicit constructions of sequences of 
elements of stable degree for cases c = 3 for each commutative ring K 
containing at least 3 regular elements and discuss the implementation of 
related key exchange and public key algorithms. 

Key Words: Key exchange, public key cryptography, symbolic computations, 
graphs and digraphs of large girth. 



1 Introduction 

Discrete logarithm problem can be formulated for general finite group G. Find 
a positive integer x satisfying condition g x = b where g G G and 6gC The prob- 



lem has reputation to be a difficult one. But even in the case of cyclic group C 
there are many open questions. If C — Z* x or C = Z* where p and q are "suf- 
ficiently large" primes then the complexity of discrete logarithm problem justify 
classical Diffie-Hellman key exchange algorithm and RSA public key encryption, 
respectively. In most of other cases complexity of discrete logarithm problem is 
not investigated properly. The problem is very dependent on the choice of the base 
g and the way of presentation the data on the group. Group can be defined via 
generators and relations, as automorphism group of algebraic variety, as matrix 
group, as permutation group etc. In this paper we assume that G is a subgroup 
of S p n which is a group of polynomial bijective transformation of vector space 
F p n into itself. Obviously \S p n\ = (p n )\, it is known that each permutation n can 
be written in the form X\ — ¥ fi(xi,x 2 , ■ ■ ■ x n ),x 2 — > /^(^i, x 2 , ■ ■ ■ x n ), ■ ■ ■ , x n — > 
f n (xi, x 2 , . . . x n ), where fi are multivariable polynomials from F p [xi, x 2 , ■ ■ ■ , x n }. 
The presentation of G as a subgroup of S p n is chosen because the Diffie-Hellman 
algorithm here will be implemented by the tools of symbolic computations. Other 
reason is universality, as it follows from classical Cayley results each finite group 
G can be embedded in S p n for appropriate p and n in various ways. 

Let F p , where p is prime, be a finite field. Affine transformations x — > Ax + b, 
where A is invertible matrix and b e {F p ) n , form an affine group AGL n (F p ) acting 
on F p n . 

Affine transformations form an affine group AGL n (F p ) of order p n (p n — l) (p n — 
p) . . . (p n —p n ~ 1 ) in the symmetric group S p n of order p n \. In [12] the maximality 
of AGL n (F p ) in S p n was proven. So we can present each permutation 7r as a 
composition of several "seed" maps of kind Tigr 2 , where Ti,t 2 G AGL n (F p ) and 
g is a fixed map of degree > 2. 

We can choose the base of F p n and write each permutation g G S p n as a 
"public rule": 

Xi -> gi(xi,x 2 ,. . .,x n ),x 2 ->■ g 2 (x 1 ,x 2 ,. . .,x n ),. . .,x n ->■ g n (x 1} x 2} . . . ,x n ). 

Let g k G S p n be the new public rule obtained via iteration of g. We consider 
Diffie-Hellman algorithm for S p n for the key exchange in the case of group . 
Correspondents Alice and Bob establish g G S p n via open communication channel, 
they choose positive integers ua and n#, respectively. They exchange public rules 
fiA = g nA and hs = g nB via open channel. Finally, Alice and Bob compute 
common transformation T as hs nA and h^ 13 ^ respectively. 

In practice they can establish common vector v = (t> i, v 2 , . . . , v n ), Vi G F p , % = 
1, . . . , n via open channel and use the collision vector T(v) as a password for their 
private key encryption algorithm. 

This scheme of symbolic Diffie-Hellman algorithm can be secure, if the order 
of g is " sufficiently large" and adversary is not able to compute number n^ (or 



Tie) as functions from degrees for g and Ha- Obvious bad example is the following: 
g sends Xi into x* for each i. In this case ha is just a ratio of deg/i^ and degg. 

To avoid such trouble one can look at family of subgroups G n of S p n, n — > oo 
such that maximal degree of its elements equal c, where c is small independent 
constant (groups of degree c or groups of stable degree). Our paper is devoted to 
explicit constructions of such families. 

We refer to a sequence of elements g n G G n such that all its nonidentical 
powers are of degree c as element of stable degree. This is equivalent to stability 
of families of cyclic groups generated by g n . Of course, cyclic groups are important 
for the Dime-Hellman type protocols. 

It is clear that affine groups AGL n (F p ), n — > oo form a family of subgroups 
of stable degree for c = 1 and all nonidentical affine transformations are of stable 
degree. Notice that if g is a linear diagonalisable element of AGL n (F p ), then dis- 
crete logarithm problem for base g is equivalent to the classical number theoretical 
problem. Obviously, in this case we are losing the flavor of symbolic computa- 
tions. One can take a subgroup H of AGL n (F p ) and consider its conjugation with 
nonlinear bijective polynomial map /. Of course the group H' = / _1 iJ/ will be 
also a stable group, but for "most pairs" / and H group H' will be of degree 
degf x deg/ -1 > 4 because of nonlinearity / and / -1 . 

So the problem of construction an infinite families of subgroups G n in S p n of 
degree 2 and 3 may attract some attention. 

General problem of construction an infinite families of stable subgroups G n 
of S p n of degree c satisfying some additional conditions (unbounded growth of 
minimal order of nonidentical group elements, existence of well defined projective 
limit, etc) can be also interesting because of possible applications in cryptography. 

Notice that even we conjugate nonlinear C with invertible linear transforma- 
tion r G AGL n (F p ), some of important cryptographical parameters of C and 
C = t~ x Ct can be different. Of course conjugate generators g and g' have the 
same number of fixed points, same cyclic structure as permutations, but counting 
of equal coordinates for pairs (x, g(x)) and (x , g'{x)) may bring very different 
results. 

So two conjugate families of stable degree are not quite equivalent because 
corresponding cryptoanalitical problems may have different complexity. 

We generalize the above problem for the case of Cremona group of the free 
module K n , where K is arbitrary commutative ring K. For the cryptography case 
of finite rings is the most important. Finite field F p n, n > 1 and cyclic rings Z m 
(especially m = 2 7 ( ASCII codes), m = 2 8 (binary codes), m = 2 16 (arithmetic), 
m = 2 32 ( double precision arithmetic)) are especially popular. Case of infinite 
rings K of characteristic zero (especially Z or C) is an interesting as well because 



of Matijasevich multivariable prime approximation polynomials can be defined 
there (see, for instance [20] and further references). 

So it is natural to change a vector space F p n for free module K n (Cartesian 
power of K) and the family and symmetric group S p n for Cremona group C(n, K) 
of all polynomial automorphisms of K n . 

We repeat our definition for more general situation of commutative ring. 

Let G n , n > 3, n — > oo be a sequence of subgroups of C(n,K). We say that 
G n is a family of groups of stable degree (or subgroup of degree c) if the maximal 
degree of representative g G G n is some independent constant c. 

Recall, that cases of degree 2 and 3 are especially important. 

The first family of stable subgroups of C n (F q ), K = F q with degree 3 was 
practically established in (2lj . where the degrees of polynomial graph based public 
key maps were evaluated. But group theoretical language was not used there and 
the problem of the key exchange was not considered. 

So we reformulate the results of [21] in terms of Cremona group over a general 
ring in section 2 of current paper. 

Additionally we show the existence of cubic elements of large order in case of 
finite field. 

Those results are based on the construction of the family D(n,q) of graphs 
with large girth and the description of their connected components CD(n,q). 
The existence of infinite families of graphs of large girth had been proven by 
Paul Erdos' (see [2]). Together with famous Ramanujan graphs introduced by G. 
Margulis [TT] and investigated in [10] graphs CD(n, q) is one of the first explicit 
constructions of such a families with unbounded degree. Graphs Din, q) had been 
used for the construction of LDPS codes and turbocodes which were used in real 
satellite communications (see [3J, [I], [5], [H]), for the development of private 
key encryption algorithms [E],[l8], [13], [7], the option to use them for public key 
cryptography was considered in [16] , [15] and in [H] , where the related dynamical 
system had been introduced (see also surveys [19], [20]). 

The computer simulation show that stable subgroups related to D(n,q) con- 
tain elements of very large order but our theoretical linear bounds on the order 
are relatively weak. We hope to improve this gap in the future and justify the 
use of D(n, q) for the key exchange. 

In section 4 we also will use graphs and related finite automata for the con- 
structions of families of stable subgroups with degree 3 of Cremona group C(n, K) 
over general ring K containing elements of large order (order is growing with the 
growth of n). First family of stable groups were obtained via studies of simple 
algebraic graphs defined over F q . For general constructions of stable groups over 
commutative ring K we use directed graphs with the special colouring. The main 



result of the paper is the following statement. 

Theorem 1 For each commutative ring K with at least 3 regular elements there 
is a families Q n of Cremona group C(K n ) of degrees 3 such that the projective 
limit Q of ' Q n , n — >■ oo is well defined, the group Q is of infinite order, it contains 
elements g of infinite order, such that there exists a sequence g n G Q n n — > oo of 
stable elements such that limg n = g. 

The family Q n is obtained via explicit constructions. So we may use in the 
finite ring K with at least 3 regular elements the sequence equivalent to g n for 
the key exchange. We show that the growth of the order of g n when n is growing 
can be bounded from below by some linear function a x n + /3. In case of such a 
sequence of groups G n = Q n we can modify a sequence gi of elements of stable 
degree by conjugation with hi G Gj. New sequence di = hi~ l gihi can be also a 
sequence of elements of stable degree. 

Let us discuss the asymmetry of our modified Dime-Hellman algorithms of 
the key exchange in details. Correspondents Alice and Bob are in different shoes. 
Alice chooses dimension n, element g n as in theorem above, element h G Q n s 
and affine transformation r G AGL n (K). So she obtains the base b = T~ 1 h~ 1 g n hr 
and sends it in the form of standard polynomial map to Bob. 

Our groups Q n are defined by the set of their generators and Alice can compute 
words h~ 1 g n h, b and its powers very fast. So Alice chooses rather large number 
n^ computes ca = b UA and sends it to Bob. At his turn Bob chooses own key 
ub computes eg = b riB . He and Alice are getting the collision map c as CA riB and 
cs nA respectively. 

Remark. Notice that the adversary is in the same shoes with public user Bob. 
He (or she) need to solve one of the equations b x = cb or b x = ca- The algorithm 
is implemented in the cases of finite fields and rings Z m for family of groups Q n . 
We present its time evaluation (generation of b and b\ by Alice and computation 
of b c B by Bob) in the last section of paper. We continue studies of orders of gx 
theoretically and by computer simulation. 

The computer simulation show that the number of monomial expressions of 
kind x ll x t2 x t3 with nonzero coefficient is rather close to binomial coefficient C n 3 . 
So the time of computation b nB , cb ha and CA nB can be evaluated via the com- 
plexity of computation of the composition of several general cubical polynomial 
maps in n variable. 



2 Walks on infinite forest D(q) and correspond- 
ing groups 

2.1 Graphs and incidence system 

The missing definitions of graph-theoretical concepts which appear in this 
paper can be found in [2]. All graphs we consider are simple, i.e. undirected 
without loops and multiple edges. Let V(G) and E(G) denote the set of vertices 
and the set of edges of G, respectively. Then |V(Cr)| is called the order of G, and 
|.E((j)| is called the size of G. A path in G is called simple if all its vertices are 
distinct. When it is convenient, we shall identify G with the corresponding anti- 
reflexive binary relation on V(G), i.e. E{G) is a subset of V(G) x V(G) and write 
vGu for the adjacent vertices u and v (or neighbors). The sequence of distinct 
vertices v i, . . . , v t , such that ViGv i+ i for i — 1, . . . , t — 1 is the pass in the graph. 
The length of a pass is a number of its edges. The distance dist(w, v) between 
two vertices is the length of the shortest pass between them. The diameter of the 
graph is the maximal distance between two vertices u and v of the graph. Let 
C m denote the cycle of length m i.e. the sequence of distinct vertices Vi,...,v m 
such that ViGv i+ i, i — 1, . . . , m — 1 and v m Gv\. The girth of a graph G, denoted 
by g = g{G), is the length of the shortest cycle in G. The degree of vertex v is 
the number of its neighbors (see pQ or [2]). 

The incidence structure is the set V with partition sets P (points) and L 
(lines) and symmetric binary relation I such that the incidence of two elements 
implies that one of them is a point and another is a line. We shall identify I 
with the simple graph of this incidence relation (bipartite graph). If number of 
neighbours of each element is finite and depends only on its type (point or line), 
then the incidence structure is a tactical configuration in the sense of Moore 
(see |12j). The graph is fc-regular if each of its vertex has degree k, where k is a 
constant. In this section we reformulate results of [8], [H] where the g-regular tree 
was described in terms of equations over finite field F q . 

Let q be a prime power, and let P and L be two countably infinite dimensional 
vector spaces over F q . Elements of P will be called points and those of L lines. 
To distinguish points from lines we use parentheses and brackets: If x 6 V, then 
(x) G P and [x] G L. It will also be advantageous to adopt the notation for 
coordinates of points and lines introduced in [TTj : 



(?) = (Pl,Pll,Pl2,P21,P22,P22,P23, ■ ■ ■ ,Pii,Pii,Pi,i+l,Pi+l,i, ■ ■ 

[I] = [lx, In, l\2, hi, ^22, ^225 ^23; • • • , ki, hii h,i+l, k+l,i, • • •)• 



We now define an incidence structure (P, L, I) as follows. We say the point 
(p) is incident with the line [I], and we write (p)I[l], if the following relations 
between their coordinates hold: 

hi - Pn = hpi 

I12 - P12 = hiPi 

hi -P21 = hpu (1) 

Hi Pii <>lPi—l,i 

l 'ii ~ Pii = k,i-lPl 
H,i+1 ~ Pi,i+1 = HiPl 
H+l,i ~ Pi+l,i = <-lPu 

(The last four relations are defined for % > 2.) This incidence structure (P,L,I) 
we denote as D(q). We speak now of the incidence graph of (P, L, I), which has 
the vertex set PUL and edge set consisting of all pairs {(p), [I]} for which (p)I[l]. 
To facilitate notation in future results, it will be convenient for us to define 
p_i,o = h-i = Pi,o = h,i = 0, Po,o = l ,o = -1, p' 0) o = ^o,o = 1, Po,i = Pi, h,o = h, 
l'i i = ^i,i) Pi i = Pi,i> an d to rewrite (1) in the form : 



Hi Pii '•iP 

l'-v'- = 1 



i—l,i 



Pii = H,i-lPl 
H,i+1 ~ Pi,i+1 = HiPl 
k+l,i — Pi+l,i — hPu 

fori = 0,1,2,... 

Notice that for i = 0, the four conditions (1) are satisfied by every point and 
line, and, for i = 1, the first two equations coincide and give /^i — p-y^ = l\P\. 

For each positive integer k > 2 we obtain an incidence structure (Pk,Lk,Ik) 
as follows. First, Pk and L& are obtained from P and L, respectively, by simply 
projecting each vector onto its k initial coordinates. The incidence Ik is then 
defined by imposing the first k — 1 incidence relations and ignoring all others. 
For fixed q, the incidence graph corresponding to the structure (Pk,Lk,Ik) is 
denoted by D(k, q). It is convenient to define D(l, q) to be equal to D{2, q). The 
properties of the graphs D(k,q) that we are concerned with described in the 
following proposition. 



Theorem 2 [9] Let q be a prime power, and k > 2. Then 

(i) D{k, q) is a q-regular edge-transitive bipartite graph of order 2q k ; 
(ii) for odd k, g(D(k, q)) > k + 5, for even k, g(D(k, q)) > k + 4 

We have a natural one to one correspondence between the coordinates 2,3, . . ., 
n, . . . of tuples (points or lines) and equations. It is convenient for us to rename 
by i + 2 the coordinate which corresponds to the equation with the number i 
and write [I] = [/i, Z 2 , . . . , l n , . . .] and (p) = (pi,P2, ■ ■ ■ ,Pn, ■ ■ •) (hne and point in 
" natural coordinates" ) . 

Let r]i be the map "deleting all coordinates with numbers > z" from D(q) 
to D(i,q), and rjij be map "deleting all coordinates with numbers > % " from 
D(j,q), j >i into D(i,q). 

The following statement follows directly from the definitions: 

Proposition 1 (see, JMj) The projective limit of D(i,q),rjij, i —¥ oo is an an 
infinite forest D(q). 

Let us consider the description of connected components of the graphs. 

Let k > 6, t = [(k + 2)/4], and let u = («i,«n,--- , u a ,u' a , w M +i, Ut+i,t, • • • ) 
be a vertex of D(k,q). (It does not matter whether u is a point or a line). For 
every r, 2 < r < t, let 



Or 



Qj r \U) —- > j \UijU r _i <r _i ^i,i+l^r— i,r— i— l) 



i=0 



and a = a(u) = (a 2 , a 3 , • • • , a t ). (Here we define 

P-i,o = ^o,-i = Pi,o = ^o,i = ° 5 Poo = ^oo = -1, Po,i = Pi, ^i,o = Ji, Poo = ^oo = ! 

^ii = / n>Pi,i =Pi,i)- 

In [8J the following statement was proved. 

Proposition 2 Let u and v be vertices from the same component of D(k,q). 
Then a(u) = a(v). Moreover, for any t — 1 field elements Xi G F q , 2 < t < 
[(/b + 2)/4] ; there exists a vertex v of D(k, q) for which 
a(v) = (x 2 ,...,x t ) = (x). 

Let us consider the following equivalence relation r : urv iff a(u) = a(v) on 
the set P U L of vertices of D(k, q) (D(q)). The equivalence class of r containing 
the vertex v satisfying a(v) = (x) can be considered as the set of vertices for 
the induced subgraph EQ( x )(k,q) (EQ( x )(q)) of the graph D(k,q) (respectively, 
D(q)). When (x) = (0, • • • , 0), we will omit the index v and write simply EQ(k, q). 

Let CD(q) be the connected component of D(q) which contains (0, 0, . . .). Let 
t' be an equivalence relation on V(D(k, q)) (V(D(q))) such that the equivalences 

8 



classes are the totality of connected components of this graph. Obviously utv 
implies ut'v. If char F q is an odd number, the converse of the last proposition is 
true (see 120 1 and further references). 



Proposition 3 Letq be an odd number. Vertices u andv of D(q) (D(k,q)) belong 
to the same connected component iffa(u) = a{v), i.e., r — r' and EQ(q) = CD(q) 
(EQ(k,q) = CD(k,q)). 

The condition charF q ^ 2 in the last proposition is essential. For instance, the 
graph EQ(k,4)), k > 3, contains 2 isomorphic connected components. Clearly 
EQ(k, 2) is a union of cycles CD(k, 2). Thus neither EQ(k, 2) nor CD(k, 2) is an 
interesting family of graphs of high girth. But the case of graphs EQ(k, q), q is a 
power of 2, q > 2 is very important for coding theory. 

Corollary 1 Let us consider a general vertex 

% (-£l> -^1,1) -^2,1; ^1,2 j •X'iji] %iii %i+l,ii %i,i+li ''')■> 

i = 2, 3, • • • of the connected component CD(k, F q ), which contains a chosen ver- 
tex v. Then coordinates x^i, x^i+i, Xj+i,i can be chosen independently as "free 
parameters" from F q and x' ii could be computed successively as the unique solu- 
tions of the equations a»(x) = di(v), i — 1, 

2.2 Geometrical interpretation of the algorithm 

We can change F q for the integral domain K and introduce the graph D(K) 
as the graph given by equations (1) over K and repeat all results of the previous 
section. If we assume that K is the general commutative ring then we will lose 
just the bounds on the girth. 

The graph D(K), where K is integral domain is a forest consisting of isomor- 
phic edge-transitive trees (see [T7j or [2]). 

Notice that each tree is a bipartite graph. We may choose a vertex x and refer 
to all vertices on even distance from it as points. So all remaining vertices are 
lines. 

We may identify all vertices from P = K°° with the union of point-sets for 
all trees from D(K). Another copy L of K°° we will treat as totality of all lines 
in our forest. 

For our Diffie-Hellman key exchange protocol Alice has to go to infinite magic 
forest D(K) and do the following lumberjack's business 



1) Truncate all trees there by deleting all components with number > n + 1. 
So Alice gets a finite dimensional graph D(n, K) which is a union of isomorphic 
connected components CD(n,K)- truncated trees. 

Notice, if you plant a truncated tree CD(n,K) and let n — > oo then it will 
grow to a projective limit of CD(n, K), which is an infinite regular tree. 

2) We define a special colouring of graph D(n, K) (or D(K)) in the following 
way. Let us identify our simple graph with the directed graph of corresponding 
symmetric binary relation. We introduce the colour of the directed arrow be- 
tween two ordered vertices of our graph v i and v 2 as the difference of their first 
coordinates. It is Z ,i — Po,i if v i is a point (p) and — (^0,1 — Po,i) if v 1 is a line [/]. 

Let X(a, 0) be the operator on the vertices of the graph D(K) moving point 
(p) to its neighbor alongside the edge of colour a and moving line / to its neighbor 
alongside the edge of colour [5. It is clear that X(a, (3)X(— (3, —a) is an identity 
map e. So X(a, [5)~ l = X(—fi, —a). We assume, that N a = X(a, a). 

Let us define the infinite group GD(K) generated by elements of kind g = 
N ai N a2 . . . -/V Q , 2s _ 1 ./V Q , 2s (x), s = 1,2... corresponding to walks of even length 
within the tree starting in the general vertex x. It is a transformation group 
of variety P U L. It acts transitively on P (or L). (GD(K),P) is a subgroup of 
Cremona group for variety K°°. 

The computation of g = N ai N a2 . . . iV Q2s _ 1 JV a2s (x) in the transformation group 
(GD(K), P) corresponds to walk in D(K) of even length within the tree starting 
with the point x. So the group G is the totality of all point to point walks in our 
forest. 

The composition of g\ and gi from variable x is the walk corresponding to 
gx with starting point x combined with the walk corresponding to g-i with the 
starting point gi(x) and final point g 2 (9i(x)), 

Each pass of even length in the graph starting from a point (p) can be obtained 
as a sequence (p), v x = N ai (p),v 2 = iV Q2 (i>i), . . . ,v 2 k = N a2k (v 2 k-i) ■ 

Each element of GD(K) has an infinite order because our forest does not 
contain cycles. 

Let us consider our symbolic Diffie -Hellman protocol for the infinite trans- 
formation group GD(K), P. 

a) In case of this group Alice is hiding a general point x by "quasi random" 
affine transformation T and sending g(T(x)) to Bob. 

b) Further Bob chooses his key hs and computes transformation hi = g(T(x)) kB 
of point set for the tree. He makes this computation root in "darkness" because 
he has no information on the forest, he has to apply standard tools for symbolic 
computations. 

c) Alice computes Ha = g(T(x)) kA . She can make it fast because via the 

10 



repetition of the walk g from the vertex T(x) several times. 

d) Alice and Bob are getting the collision vector as h B k A and h,A B respectively. 

2.3 Truncated trees and corresponding stable group 

Now we change the forest D(K) on the bunch of truncated trees from D(n, K). 
Computation g = N ai N a2 . . . -/V a2a _ 1 A r a2s (x) generate the group {GD(n, K), PUL) 
corresponding all walks in D(n, K) of even length starting in vertex x. 

Each pass of even length in the graph starting from a point (p) can be obtained 
as a sequence (p), v x = N ai (p),v 2 = N a2 (vx), ...,v 2 k = N a2h (v 2 k-i)- 

Now Alice and Bob can do the key exchange similarly to the case of GD(K) 
but in finite group GD(n, K), where K is a finite ring 

REMARK. The generalised graph D{n,K) can be defined on the vertex set 
K n U K n in case of arbitrary ring K by equations (1). Notice that if K contains 
zero divisors then girth is dropping, it is bounded by constant. 

The next result follows instantly from 



Theorem 3 Let K be a commutative ring containing at least 3 regular elements. 
Sequence of subgroups GD(n,K) of Cremona group C(n,K) form a family of 
stable subgroups of degree 3. 

We refer to element g = N ai N a2 . . . iV Q2s _ 1 A' a2s for which a.i ^ a«+i, i = 
1,2 ... ,2s — 1 as irreducible element of length s. 

Let <f) n be a canonical homomorphism of GD(K) onto GD(n, K). 

The following proposition follows from the results on the girth of previous 
section. Now it is very important that K = F q 

Proposition 4 The order of each nonidentical element of GD(F q ) is an infinity. 
Let g G GD(F q ) be a regular element of length 1(g) = k, then the order of g n = 
4>n{g), where k < [n + 5]/2, is bounded below by [n + 5]/4fc The sequence g n is a 
family of stable elements. 

So element h = T~ 1 h~ l g n hr, where r G AGL n (K), h G DG(n,K) is an 
element for which h~ l g n h is a cubical map, can be used as the base for Diffie- 
Hellman algorithm as above for K = F q . 

3 On the regular directed graph with special 
colouring 

Directed graph is an irreflexive binary relation C V x V , where V is the set 
of vertices. 

11 



Let us introduce two sets 

id(v) = {16 V\(a,x) G 0}, 

od{y) = {16 V\(x,a) G 0} 

as sets of inputs and outputs of vertex v. Regularity means the cardinality of 
these two sets (input or output degree) are the same for each vertex. 

Let T be regular directed graph, -EfT) be the set of arrows of graph T. Let us 
assume that additionally we have a colouring function i.e. the map it : E — > M 
onto set of colours M such that for each vertex v G V and a G M there exist 
unique neighbour u G V with property ir((v,u)) = a and the operator N a (v) : = 
N(a, v) of taking the neighbour u of a vertex v within the arrow v — ¥ u of colour 
a i a bijection. In this case we refer to V as rainbow-like graph. 

For each string of colours (oti, a 2 , ■ ■ ■ , a m ), a% G M we can generate a per- 
mutation 7r which is a composition iV^ x N a2 x ■ • • x iV am of bijective maps 
N a . : V(r) — y V(r). Let us assume that the map u — > N a (u) is a bijection. For 
given vertex v G V(r) the computation ir corresponds to the chain in the graph: 

v -)> f i = iV(ai, u) -> v 2 = N(a 2 , vi) ->■ )• u n = iV(a m , u TO _i) = u'. 

Let Gr be the group generated by permutations 7r as above. 

E.Moore [12] used the term tactical configuration of order (s, i) for biregular 
bipartite simple graphs with bidegrees s + 1 and r + 1. It corresponds to the 
incidence structure with the point set P, line set L and symmetric incidence 
relation /. Its size can be computed as \P\(s + 1) or \L\(t + 1). 

Let F = {{p, l)\p G P, I G L,pll} be the totality of flags for the tactical 
configuration with partition sets P (point set) and L (line set) and incidence 
relation I. We define the following irreflexive binary relation <p on the set F: Let 
(P, L, I) be the incidence structure corresponding to regular tactical configuration 
of order t. 

Let Fi = {(l,p)\l G L,p G PJIp} and F 2 = {[l,p]\l G L,p G P, Up] be two 
copies of the totality of flags for (P,L,I). Brackets and parenthesis allow us to 
distinguish elements from F 1 and F 2 . Let DF(I) be the directed graph (double 
directed flag graph) on the disjoint union of i*\ with F 2 defined by the following 
rules 

(h,Pi) ->■ [h,P2] if and only if p 1 = p 2 and h ^ l 2 , 

[l 2 ,p 2 ] -)■ (h,Pi) if and only if l x = l 2 and p x ^ p 2 . 
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4 Construction of new stable groups correspond- 
ing to rainbow like graphs 

Let us consider double directed graph DD(n,K) for the bipartite graph 
D(n,K) and infinite double directed flag graph DD(K) for D(K)(DD(K)) de- 
fined over the commutative ring K, Let N = N a ^{y) be the operator of taking 
the neighbor alongside the output arrows of colours a, (3 G Reg(K) of vertex 
v G F\ U F 2 by the following rule. If v =< (p), [I] >G F\ then N(v) — v' — 
[[/], (p')] G F 2 , where the colour of v' is a — p[ — pi )0 , if v — [[/], (p)] G F 2 then 
iV(v) = v' =< (p), [I'] >G Fi, where the colour of v' is (3 = l[ — /i i0 . 

Let us consider the elements Z(a, (3) = N aj0 N 0i p. It moves v G F\ into v' G i*\ 
at distance two from f and fixes each -u G i^- Notice that Z(a,/3)Z(—a, —f3) is 
an identity map. 

We consider the group GF{n + 1, K) (GF(K), respectively) generated by all 
transformations Z(a,/3) for nonzero a,/3 G K acting on the variety i*\ = i^™ +1 
(iT°°). 

Theorem 4 Sequence of subgroups GF(n, K) of Cremona group C(n, K) form 
a family of subgroups of degree 3. 

Proof 

In the first step we connect a point with a line to get two sets of vertices of 
new graph: 

F = {((p)M)\W[l}} =K n+1 

F' = {{[1],(P)}\W(P)} =K n+l . 
Now we define the following relation between vertices of the new graph: 

(( P ),[l])R{[l'],(p)} * [/] = [/'] L Pl -p' 1 eK 

{[l'],(p')}R((p),[l]) * (p') = (p) & 1^-heK 

Our key will be a 1; a 2 , ■ ■ ■ , a n , such that ctj G RegK. 
As a first vertex we take 

(P]»(p)} = (h,li,i,h,2,---,kj,Pi) 
(our variables) . Using the above relation we get get next vertex: 

((pf\ll]W) = (p 1 ,p[%...,p^,l 1 + a 1 ) 
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with coefficients of degree 2 or 3, where 

Pi} = k,i - kpi, deg = 2 

Pi} = h,2 ~ h,iPi deg = 2 

P21 = h,i - k{k,i - hPi) deg = 3 

Pi? = l 'i,i ~ Piki-i deg = 2 

pIJ+i = ki+i ~ Piki deg = 2 

Pit = ki ~ k(h-i,i ~ Pih-i,i-i) deg = 3 

Pi+i,i = h+i,i ~ h(l'i ti ~ Pih,i-i) deg = 3 

Similarly we get the third vertex: 

{[/] (2) , (p) (3) } = (k + ai, k,i, . • • , hj,pi + a 2 ) 
also with coefficients of degree 2 or 3, where 

l i} = k,i + I1P1, deg = 2 
l ?l = k,2 + aipj deg = 2 
4,i = k,i + OiiPil deg = 2 
l< 3 = h + aiP,--M deg = 2 
l i+i,i = k+i,i + oitfif deg = 2 
kf = l [i + a iPiPi-{i-i deg = 3 
e^W + ^pS, deg = 3 



Let us represent: 



(2k— 1) (2k— 31 

P\ = pi + « 2 + «4 + • • • + Q!(2fc-2) = Pi + «(2fc-2) 

;( 2fc ) ; 1 i i ; (2fc-2) . 

/} = <i + «l + « 3 + • • • + «(2fc-l) = <1 + «(2fe-l) 

Assume that the following vertices: 

(( P )(^ 1 ),p](»)> = (p} 2 *- 1 >,p}*- 1 >,...,pS*- 1 ),zr>) 

have degrees: 

deg^ 2 *- 1) (Z 1 ,Z 2 ,...,Z fc ,p 1 ) = { 2 ' (^') = (M)' or (U) = (M + 1), 



deg^. (k,l2,...,k, Pl )-\ 2? ( ^ J) = (M) or (, j) = ( , + M) 
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and 



Now we would like to find out degrees of polynomials of the vertices ((p)^ 2fc+1 \ [l]^ 2k+2 ^] 
and{[/p +2 ),(pp+ 3 )}. 

We have the components of the vertices with corresponding degrees: : 

PS^ = PS^ ~ -^i deg = 2 

(2fc+l) _ (2fc-l) ,(2fe) , _ „ 

p iA+1 - p i>i+1 - aikh.i de 9 - * 

pf- +l) = P??- 1] + * 2k l? Vm-i)™ deg = 3 

pffi^ff + rf'ig deg = 3 

,(2fc+2) _ j(2k) _(S*+1) > „ _ 9 

,(2+2) _ ,(2fc) '(2^+1) , _ 9 

,'(2+2) _ ,'(2fc) (2fc+l) '(2fc+l) , _ o 

'i,i - «»,t + a2fc+iPi Pi-i,i_i «ep - 6 

,(2+2) _ ,(2fc) (2fc+l) (2fc+l) , _ „ 

H,i+i - l i,i+\ + "2fc+iPi Pi_i ti «e^ - 3 
Hence using the induction we got: 

(i<>gp^ 1) (M 2 ,...,fc,pi) = ( 2 ' (*'^ = ('"'*)' or (^j) = (M + i), 
'"''"' ' "'" ' l (i,j) = {i,i) or (i,j) = {i + l,i) 

Finally using the affine transformation in the same way as in pT] , independently 
from the length of the password we get the polynomials of degree 3. 

Canonical graph homomorphisms u n : DD(n,K) — ¥ DD(n — 1,K) can be 
naturally expanded to group homomorphism GF(n + 1,K) onto GF n (K). It 
means that group GF(K) is a projective limit of GF(n, K). Let 6 n be a canonical 
homomorphism of GF(K) onto GF(n, K). 

Let Reg(i^) be the totality of regular elements of K i. e. non zero divisors. We 
may consider the restriction DD(n, K) of the graph DD(n, K) via the following 
additional condition. 

(( P ),[l})R{[l'],(p)} *> [t\ = [t] & Pl -p' 1 eReg(K) 

{[l'},(p')}R((p),[l]) <* (p) = (P) & l'i ~ h e neg(ff) 
. We restrict operators i\T a>j g and Z(a,j3) simply by adding the restrictions a, /3 G 
Reg(Zf). Let Q n = Q(n, K) be the restricted group and Q = Q(K) is a projective 
limit of Q(n, K), n — ¥ oo. 

In [15], [IS] was shown that the projective limit of graphs DD(n, K) is acyclic 
graph and the length of minimal directed cycle in DD(n,K) is bounded below 
by [n + 5]/2. It means that we get the following statement. 
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Proposition 5 The order of each nonidentical element of Q(K) is infinity. Let 
g G Q(K) be an element of length 1(g) = k, then the order of its projection 
g n = 8n(g) G Qn, where k < [n + 5]/2, is bounded below by [n + 5]/2fc The 
sequence g n forms a family of stable elements of increasing order. 

Theorem 1 follows immediately from theorem 4 and proposition 5. 

5 On the time evaluation for the public rule 

Recall, that we combine a graph transformation iVj with two affine transfor- 
mation T\ and T 2 . Alice can use T\N{T 2 for the construction of the following 
public map of 

y = (Fi(xi,...,x n ),...,F n (xi,...,x n )) 

Fi(x\, . . . , x n ) are polynomials of n variables written as the sums of monomials 
of kind x™ 1 x™ 2 a;™ 3 with the coefficients from K = F q , where i%, i 2 , is G 1, 2, . . . , n 
and mi, m 2 , m 3 are positive integer such that mi + m2 + m 3 < 3. As we mentioned 
before the polynomial equations yi = Fi(x\, x 2 , ■ ■ ■ ,x n ), i = l,2...n, which 
are made public, have the degree 3. Hence the process of an encryption and a 
decryption can be done in polynomial time 0(n 4 ) (in one y^ i — 1, 2 . . . , n there 
are 2(n 3 — 1) additions and multiplications). But the cryptoanalyst Cezar, having 
only a formula for y, has a very hard task to solve the system of n equations of 
n variables of degree 3. It is solvable in exponential time 0(3™ ) by the general 
algorithm based on Grobner basis method. Anyway studies of specific features of 
our polynomials could lead to effective crypt analysis. This is an open problem 
for specialists. 

We have written a program for generating a public key and for encrypting text 
using the generated public key. The program is written in C++ and compiled 
with the Borland bcc 5.5.1 compiler. 

We use a matrix in which all diagonal elements equal 1, elements in the first 
row are non-zero and all other elements are zero as A, identity matrix as B and 
null vectors as c and d. In such a case the cost of executing affine transformations 
is linear. 

The tabled] presents the time (in milliseconds) of the generation of the public 
key depending on the number of variables (n) and the password length (p). 

The tabled presents the time (in milliseconds) of encryption process depend- 
ing on the number of bytes in plaintext (n) and the number of bytes in a character 
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Table 1: Time of public key generation 





p = 10 


p = 20 


p = 30 


p = 40 


p = 50 


p = 60 


71=10 


15 


15 


16 


32 


31 


32 


n = 20 


109 


250 


391 


531 


687 


843 


n = 30 


609 


1484 


2468 


3406 


4469 


5610 


n = 40 


2219 


7391 


12828 


18219 


24484 


29625 


n = 50 


5500 


17874 


34078 


49952 


66749 


82328 


n = 60 


12203 


42625 


87922 


138906 


192843 


242734 


n = 70 


22734 


81453 


169250 


286188 


405500 


536641 


n = 80 


46015 


165875 


350641 


619921 


911781 


1202375 


n = 90 


92125 


332641 


708859 


1262938 


1894657 


2525360 


71= 100 


159250 


587282 


1282610 


2220610 


3505532 


4899657 



Table 2: Time of encryption 





Z 2 s 


Z 2 16 


Z 2 32 


n = 20 


16 








n = 40 


265 


47 


15 


n = 60 


1375 


188 


15 


n = 80 


3985 


578 


47 


71= 100 


10078 


1360 


125 
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